The New York Department of Environmental Conservation (“DEC”) issued an enforcement discretion letter related to storage time limitation requirements for regulated medical waste containers, revising 6 NYCRR 365-1.2(b)(7) and 6 NYCRR 365-1.2(b)(8). Based upon concerns of small generators of regulated medical waste (“RMW”) such as dental offices, the DEC will revise provisions related to the removal of RMW and sharps from patient care or use areas to a room or area designated for RMW storage. The DEC will now require that RMW and sharps be removed when the container has reached the fill line indicated on the container, is otherwise filled, or the container generates odors or other evidence of putrefaction, whichever comes first. This allows small generators additional time as the regulations now provide specific hour and day requirements for the removal of these items.

Brach Eichler LLC has filed a law suit against health insurer Aetna, Inc. and others, alleging breach of privacy relating to mailings the company sent as part of the settlement of previous privacy-based lawsuits against the insurer relating to patient HIV-medication status. Members Lani M. Dornfeld, Esq. and Edward P. Capozzi, Esq. and Associate Dennis Shlionsky, Esq. represent the plaintiffs in the action.

The suit was submitted to the Superior Court of New Jersey, Essex County, last week. Aetna’s privacy breach is believed to have involved the private HIV medication information of more than 12,000 Aetna insureds. The New Jersey suit, John Smith and Richard Becker (Fictitious Designations) vs. Aetna, Inc.; Aetna Health Inc.; Aetna Specialty Pharmacy, LLC; ABC Corporation (1-10) and Doe Vendor, may be the first suit related to the Aetna breach to be filed in the State of New Jersey.

The New Jersey suit filed by Brach Eichler alleges violation of the New Jersey AIDS Assistance Act, as well as invasion of privacy and negligence on the part of Aetna and the other defendants. (ABC Corporation is a class of fictitiously named individuals or entities responsible for the disclosure and/or presentation of private medical information regarding the plaintiffs, and Doe Vendor is a class of fictitiously named individuals and/or entities representing the unidentified vendor that Aetna used to send its mailing.) The complaint alleges the case is about “Aetna’s repeated failure to respect the privacy rights of people who are taking HIV medications.”

Dornfeld, a member in Brach Eichler’s health law practice who devotes a significant portion of her practice to HIPAA and privacy-related matters, said, “The allegations demonstrate an egregious violation of the New Jersey AIDS Assistance Act, as well as extreme negligence on the part of the defendants. The AIDS Assistance Act was passed by the New Jersey legislature to place strict privacy safeguards around HIV and HIV-related information in order to protect individuals from the very type of harm and stigmatism suffered by these plaintiffs.” Dornfeld noted that the act provides for punitive damages, which the plaintiffs are seeking in this case.

Pursuant to the complaint, the background to the suit relates to two separate class actions against Aetna in 2014 and 2015 alleging Aetna jeopardized the privacy of people taking HIV medications by requiring its insureds to receive their HIV medications through the mail and not allowing them to pick up their medications in-person at their chosen pharmacy. Those cases are Doe v. Aetna, Inc., No. 14-cv-2986 (S.D.Cal) and Doe v. Coventry Health Care, Inc., No 15-cv-62685 (S.D. Fla.). The Doe lawsuits were never certified as class actions, but rather were settled by Aetna and the individual plaintiffs in those cases. As a condition of those individual settlements and in addition to payment of damages, Aetna agreed to send notice to its insureds who had been required to mail-order their HIV medications, informing them they were no longer required to do so.

In sending out the notices, which occurred in or about July 2017, the Brach Eichler complaint alleges that “Aetna again failed to recognize the dangers associated with sending information about HIV medications through the mail.” Rather than sending the notices in an opaque envelope, the envelope used for the notices contained a large window, covering almost half of the front of the envelope, in which “instructions about how individuals could obtain their HIV medications were visible from the outside of the envelope.”

According to Capozzi, who chairs Brach Eichler’s personal injury practice, “The plaintiffs in the New Jersey action allege, among other things, severe and disabling emotional distress and insult, embarrassment, humiliation, increased stress and anxiety.”

In Pennsylvania, the AIDS Law Project of Pennsylvania and Berger & Montague filed a class action on August 28th of this year, in the U.S. District Court for the Eastern District of Pennsylvania. Almost simultaneously with Brach Eichler’s filing, a California man filed suit against Aetna in California stemming from Aetna’s privacy breach and alleging Aetna violated state and federal privacy laws.

Sanders Proposes Medicare for All Act of 2017October 16, 2017

Senator Bernie Sanders recently proposed Senate Bill 1804, which seeks
to expand Medicare into a universal health insurance program. The bill would replace America’s health care system with a public system funded by higher taxes.

Rollout. Children would immediately receive universal Medicare cards. Adults not currently eligible for Medicare would be phased in over four years based on age. In the first year, the plan would cover Americans over 55. By year two, everyone over 45 would be covered. In year three, the plan would cover those over 35, and in year four, all Americans would be covered.

Funding. The bill is projected to require significantly more revenue,
but there is no plan for how to fund the bill. Senator Sanders released a number of funding proposals, including a 7.5 percent payroll tax on employers, a 4 percent income tax, and additional taxes on wealthier Americans and corporations. Critics say that even the proposed methods would fall far short of funding the plan.

Support. The bill is backed by at least 16 Democratic senators, which is an unprecedented level of support for this type of proposal. In the House, a single payer bill introduced by Rep. John Conyers has the support of more than 60 percent of Democrats.

St. Mark’s Surgical Center in Fort Myers, Florida was the target of a ransomware attack earlier this year that prevented access to patient data, including protected health information (PHI), such as names, dates of birth, and Social Security numbers. A ransomware attack will infiltrate a company’s data, encrypt it and only offer the release of the data upon payment of a ransom. It is possible a ransomware attack also could cause the breach of PHI outside the organization.

The Department of Health and Human Services, Office for Civil Rights (OCR), the HIPAA enforcement agency, reports that ransomware attacks are on the rise with over 4,000 daily attacks since early 2016, a 300% increase compared to 2015. HIPAA requires covered entities and business associates to have in place security measures that can help prevent ransomware attacks, including, among other measures, (1) a security management process, which includes a risk analysis to identify threats and vulnerabilities; (2) procedures to guard and detect against malicious software; (3) staff training to educate staff to identify, assist in detecting, and report malicious software; and (4) implementation of access controls to limit access to PHI to only those necessary.

The OCR has issued guidance stating that ransomware attacks are presumed to result in a breach of PHI unless the affected covered entity or business associate can prove, through an investigation and risk assessment, that there is a low probability PHI was compromised. Covered entities have a maximum of 60 days following the discovery of a breach to report the breach to affected individuals and, in certain circumstances, to the OCR and other authorities. In this matter, St. Mark’s was assessed a monetary penalty for late notification.

If you need assistance with your organization’s HIPAA policies and procedures, risk management plan, or investigating and responding to a breach or suspected breach incident, including a ransomware attack, please contact a member of our Health Care Practice Group.

Opioid Prescriptions in the Age of EMR – Why Physicians Must be Ultra-VigilantSeptember 21, 2017

Opioid addiction and abuse is a national health crisis, with the over-prescription of narcotics such as Oxycontin, Oxycodone and Fentanyl at the foundation of this growing problem. According to the CDC, overdose deaths involving prescription opioids have quadrupled since 1999 along with sales of these prescription drugs. From 1999 to 2015, more than 183,000 people in the U.S. died from overdoses related to prescription opioids.

With the recent increased scrutiny on opioid prescribing comes the burden of documentation for physicians who prescribe opioids. Aside from weighing the risk-benefit factor for each patient’s pain relief, doctors must also meticulously document medical care in compliance with increased regulatory oversight, or risk sanctions against their medical license.

Compliance and regulatory matters bring an increased need for thorough patient examinations and rigorous documentation of medical care by way of thorough and contemporaneous notes. Any physician who writes opioid prescriptions must first do a patient evaluation and include the name, strength, and quantity of the narcotic in the medical record (as well as on the written prescription).

While the use of electronic medical records (EMR) should make proper documentation easier, medical practices must also ensure their EMR system’s reliability and upkeep to avoid any impediments to compliance.

Two cases come to mind that illustrate the ramifications of not using and maintaining an EMR system properly.

A doctor in a three-physician practice was suddenly faced with working alone due to various circumstances. During that time, the practice’s EMR system wasn’t working properly and this physician had only worked with paper records in the past. Although he’d obtained complete patient histories and conducted thorough examinations, critical information was excluded from those patients’ EMRs because he was not familiar with the EMR system. Much of that missing information was about opioid prescriptions he’d written to manage patients’ pain. Exacerbating the problem was that he was not a practice owner who could allocate funds towards the system’s repair. The EMR’s malfunction led to cascading problems: Because this information had not been entered into the EMR system, the practice came under the scrutiny of the state licensing authority and patient records were subpoenaed. The physician had to appear before an investigating committee and answer to the practice partners regarding the wide gaps in the medical records.

Another pain management physician was in the process of changing his EMR system vendor and had prescribed a significant amount of opioids for pain management. The quantity of opioid prescriptions caught the attention of his state licensing authority, which subpoenaed patient records. However, this doctor was unable to produce the complete charts because during the EMR vendor transition, many progress notes and other medical record components had vanished. This and other factors resulted in the physician’s license being temporarily suspended pending a full hearing.

While EMR has vastly improved medical recordkeeping, the burden is still on the physician to ensure that scrupulous documentation occurs and that the medical records are entered into the system properly. The physician is responsible for any breakdowns in the process. Therefore, it is critical for every practitioner and practice to:

Continually monitor patient records and the EMR system to assure its proper function and use.

Educate himself or herself about state licensing authority regulations regarding narcotics to ensure prescription and documentation compliance. Regulations will likely dictate appropriate dosage, strength, and quantity of the medication; circumstances that permit multiple prescriptions and the necessity of treatment plans; guidance on what constitutes a thorough medical history and whether the physician must access a state prescription monitoring program.

Given the country’s opioid crisis and the current regulatory environment, physicians must be vigilant about their patients’ medical records as well as the proper implementation and maintenance of their EMR systems. To do otherwise could put them and their medical practice at risk.

Legislative UpdateSeptember 20, 2017

Amendments to Physician Assistant Regulations — On August 21, 2017, the State Board of Medical Examiners, as recommended by the Physician Assistant Advisory Committee, proposed to amend its rules and promulgate new rules to implement P.L. 2015, c. 224, which created an expanded, physician-delegated scope of practice for physician assistants. P.L. 2015, c. 224, which became effective on August 1, 2016, revised the scope of practice for physician assistants, requires all physician assistants in the State to maintain malpractice liability insurance or a letter of credit, and requires physician assistants to have a separate written agreement with each physician who delegates medical services to the physician assistant. Written comments on the proposed rules must be submitted by October 20, 2017.

Prescription Drug Insurance Coverage — On August 24, 2017, Assembly Bill A5144 was introduced to require health insurers to provide coverage for prescription drugs through the entire course of treatment as determined by the prescriber. The time period for the course of treatment would be determined solely by the covered person’s prescriber without the imposition of any utilization management requirements.

Health Care Facilities Legislation Passed by Legislature — On July 31, 2017, the New Jersey Assembly passed S2563, which had previously been passed by the Senate on June 22, 2017. The bill clarifies Department of Consumer Affairs rulemaking authority over freestanding residential health care facilities, and prohibits eviction of residents from such facilities, except for good cause. The bill now awaits approval from Governor Christie.

BME, BON and DOBI Propose Amendments to Regulations and a New DOBI RuleSeptember 18, 2017

Two New Jersey professional licensing boards, the State Board of Medical Examiners (BME) and the State Board of Nursing (BON), published proposed amendments to regulations in the September 5, 2017 New Jersey Register. In addition, the New Jersey Department of Banking and Insurance (DOBI) proposed amendments to certain regulations and a new regulation.

The BME published a proposed amendment to N.J.A.C. 13:35-7.5, Requirements for the Dispensing of Drugs and Special Limitations Applicable to the Dispensing of Drugs for a Fee. Under New Jersey law, N.J.S.A. 45:9-22, physicians are prohibited from dispensing more than a seven-day supply of drugs or medications. The law provides exemptions to this prohibition, including a statutory amendment adding a new exemption for dispensing a food concentrate, food extract, vitamin, mineral, herb, enzyme, amino acid, tissue or cell salt, glandular extract, neutraceutical, botanical, homeopathic remedy, or other nutritional supplement. The BME proposes to amend its regulations to recognize the new exemption to the seven-day dispensing limitation.

The BON proposes to readopt nursing rules at N.J.A.C. 13:37, with amendment. The proposal includes an amendment to continuing education requirements. In particular, the rule adds an additional manner in which a registered professional nurse or licensed practical nurse may obtain continuing educational hours, as follows: successful completion of continuing education courses or programs related to nursing approved by, or offered by entities accredited by, the American Nurse Credentialing Center. Credits will be awarded one hour for each 60 minutes of attendance. The BON also proposes to delete certain outdated/expired requirements regarding continuing education for organ and tissue donation and certain proofs for certification training.

The DOBI, Office of Life and Health, has proposed amendments to N.J.A.C. 11:24-1.2 and 11:24A-1.2 and 2.3, to reinforce the existing rights of a covered person (a person who receives benefits or health care services under a health benefits plan) to request to receive services from an out-of-network provider, but pay only network-level cost sharing when the network associated with the covered person’s plan does not contain a qualified, accessible, and available provider to perform the needed service.

The DOBI also proposes to amend regulations governing prompt payment of health benefit claims, at N.J.A.C. 1:22-1.2, 1.6, 1.9 and 1.10, and proposes a new rule at 11:22-1.5. DOBI proposes to amend the rules governing the prompt payment of claims to increase transparency and accountability related to health benefit plans. The new rule at N.J.A.C. 11:22-1.5 would set forth the minimum requirements for an Explanation of Benefits (EOB), including that every carrier will be required to provide an EOB, electronically or in writing, to a covered person in response to the filing of a claim by a provider or a person covered under a health benefits plan. A carrier or its agent must provide an EOB within 30 days if the claim is filed electronically or 40 days if the claim is submitted in writing. The EOB will be required to include at least: (1) name of the covered person; (2) name of the provider; (3) date of service; (4) clear description of the service; (5) billed charge; (6) allowed charge; (7) non-covered amount; (8) a specific explanation of why a charge is not covered by the health benefits plan, with specific requirements for how denial reasons must be stated; (9) the amount that is the covered person’s responsibility due to deductible, coinsurance, and copayment; (10) the accumulation toward the covered person’s deductible or family deductible, if applicable; (11) amount paid by plan, with any paid interest shown separately; (12) an explanation of the process to appeal the determination on the claim; and (13) a telephone number for additional information on the processing of the claim, or (14) if review of the claim is still pending upon issuance of the EOB, the EOB shall so state and items (6) through (10) can be omitted.

The New Jersey Division of Consumer Affairs (DCA) recently published proposed regulations to amend existing rules governing health care service firms. The regulations generally require health care service firms to register with the DCA and provide basic rules for operating health care service firms in New Jersey. The current regulations define a health care service firm as any person who operates a firm that employs individuals to provide health care or personal care services either directly in the home or at a care-giving facility. “Health care services” means any services rendered for the purpose of maintaining or restoring an individual’s physical or mental health, or any health-related services for which licensure, registration or certification is required. “Personal care services” are defined to include bathing; toileting; transferring; dressing; grooming; and assistance with ambulation, exercise, or other aspects of personal hygiene.

Under the proposed amendment, a person who operates a firm that employs individuals to provide companion services would be included within the definition of health care service firms that require registration with the DCA. “Companion services” would be defined as non-medical, basic supervision, and socialization services that do not include assistance with activities of daily living and that are provided in an individual’s home, and may include household chores. The proposed amendment also would require all new and existing health care service firms to annually submit evidence of accreditation by an accrediting body for homemaker agencies participating in Medicaid; one that is recognized by the New Jersey Department of Human Services. Also under the proposed amendment, a health care service firm would be required to submit an audit to DCA every third year. The audit would be required to be conducted by a certified public accountant and be divided into a compliance component and a financial component. The DCA will be accepting
comments regarding the proposed amendment through October 20, 2017.

Mid-Atlantic Surgical Associates PC (Mid-Atlantic), a cardiac surgery group, filed a class action lawsuit against UnitedHealthcare, alleging that UnitedHealthcare underpaid out-of-network providers for emergency medical services and advised its patients, both verbally and in writing, to ignore bills for services from these providers. Mid-Atlantic asserted that UnitedHealthcare violated state and federal regulations in order to pressure out-of-network providers, including Mid-Atlantic, to become in-network providers with UnitedHealthcare. It is alleged that UnitedHealthcare has offered to defend its members, by paying for their lawyers, if out-of-network providers sue members to collect outstanding balance bills, i.e., the difference between what UnitedHealthcare decides to pay Mid-Atlantic, and its member’s copayment, coinsurance, or deductible. It is believed that the class members in this action, out-of-network providers that have been subject to UnitedHealthcare’s underpayments, number into the hundreds.

UnitedHealthcare argued that providers must accept payment that UnitedHealthcare deems to be sufficient under FAIR Health usual and customary charge data regardless of Mid-Atlantic and other providers’ actual billed charges. Alternatively, Mid-Atlantic contended that there is no agreement between them and UnitedHealthcare, and Mid-Atlantic
never agreed to accept payments based on FAIR Health.

Mid-Atlantic is seeking, among other damages including compensatory damages, injunctive relief, and counsel fees, (1) that UnitedHealthcare pay out-of-network emergency medical services in amounts that ensure balance bills are not sent to the patients, and (2) confirmation that out-of-network providers are permitted to bill a UnitedHealthcare member the difference between the payment made by UnitedHealthcare and such member’s copayment, coinsurance, or deductible.

Opioid Crisis: Still Not “Officially” a National EmergencySeptember 6, 2017

A few weeks after firmly stating his intention to declare the opioid crisis a national emergency, President Trump has yet to take the steps necessary to do so.

There are currently 28 active national emergencies, none of which are clearly directed at U.S. public health. National emergencies, each of which must be renewed by the President annually, are typically used to freeze the assets of foreign nationals or impose sanctions on another country. While national emergencies can be declared to address public health crises, the most direct way to do so is through the declaration of a public health emergency.

Public health emergencies are distinct from national emergencies declared by the President. Instead, the Secretary of Health and Human Services, Tom Price, could declare a public health emergency on his own. This would unlock a range of expanded powers for the Department of Health and Human Services, permitting the Secretary to issue grants and spend money for this purpose which he otherwise could not do. The Secretary also would be given additional freedom to direct resources and amend regulations.

Only with the swine flu outbreak in 2009 was a recent public health emergency also declared a national health emergency to the entire country. If the President chooses to formally declare the opioid crisis a national emergency, the federal government may look to states that already have implemented public health emergencies to address the opioid crisis, including Maryland, Massachusetts, Alaska, Arizona, Virginia, and Florida. These states provide a model for (1) using public health emergency declarations to implement new prescription guidelines for healthcare professionals; (2) expanding educational programs about addiction; (3) increasing access to treatment including medications for addiction treatment; and (4) broadening availability of emergency tools such as naloxone, a medication used to revive someone who has overdosed. These combined efforts can make a significant impact in saving lives.